About IPv6 Support in Fireware
- IPv6 addressing — You can add a static IPv6 address to the External, Trusted, Optional, or Custom interfaces when the Firebox is configured in mixed routing mode. This includes VLAN, Bridge, and Link Aggregation interfaces.
For more information, see Configure IPv6 for an External Interface and Configure IPv6 for a Trusted or Optional Interface.
- IPv6 DNS servers — You can add an IPv6 address to specify a DNS server.
- IPv6 static routes — You can add an IPv6 host or network static route.
- IPv6 Dynamic routing protocols — RIPng, OSPFv3, and BGP.
- IPv6 BOVPN virtual interface routes — You can add an IPv6 route through a Firebox or GRE type IPv4 BOVPN virtual interface.
- BOVPN virtual interface gateways and tunnels — In Fireware v12.4 or higher, you can specify IPv6 addresses.
- BOVPN gateways and tunnels — In Fireware v12.4 or higher, you can specify IPv6 addresses.
- IPv6 device administration — You can connect to your Firebox with the static IPv6 address to administer your Firebox with Fireware Web UI or the CLI. You cannot connect to the Firebox from WatchGuard System Manager with the static IPv6 address.
- Diagnostic logging — You can set the diagnostic log level for IPv6 advertisements.
For information about how to configure diagnostic log levels, see Set the Diagnostic Log Level.
- IPv6 Ping — You can ping IPv6 addresses in Firebox System Manager Diagnostic tasks.
- Packet filter policies — You can specify IPv6 addresses in packet filter policies.
- MAC access control — Applies to both IPv6 and IPv4 traffic.
- Inspection of traffic received and sent by the same interface — Applies to both IPv6 and IPv4 traffic.
- Blocked sites and exceptions — You can specify an IPv6 address when you define a blocked site or exception.
- Blocked ports — Applies to both IPv6 and IPv4 traffic.
- TCP SYN setting — The Enable TCP SYN packet and connection state verification setting in Global Settings applies to both IPv6 and IPv4 traffic.
- Application Control
- Intrusion Prevention Service
- Flood attack prevention — The Default Packet Handling settings to block flood attacks apply to both IPv6 and IPv4 traffic.
- Authentication — IPv6 addresses are supported for Firewall authentication.
- Proxy policies
- WatchGuard subscription services — APT Blocker and WebBlocker require a dual-stacked interface (i.e., IPv4 and IPv6) to function.
- WatchGuard Active Directory single sign-on (Fireware v12.3 or higher) — SSO Agent, SSO Client, and SSO Event Log Monitor
- Bridge mode (Fireware v12.8 or higher)
All other networking and security features are not yet supported for IPv6 traffic. This includes:
- Authentication — Terminal Services, VPN support, fully qualified domain names (FQDN) for RADIUS and SecurID servers, automatic redirect of users to the Authentication page, WatchGuard SSO Exchange Monitor
- Default packet handling other than flood protection
- Server load balancing
- Traffic Management and QoS
- Drop-in mode
- MAC/IP address binding
- Mobile VPN
- Wireless and modem
- Access Portal
Any other feature not in the list of supported IPv6 features is not supported for IPv6 traffic.